Summary

This document will guide you through the steps to enable multi-factor authentication and SSO for the CMS system WordPress (https://wordpress.com/)

System Requirements

• PhenixID Authentication Server 3.0 or higher
• WordPress instance administrative rights

Overview

This step-by-step-guide is based on the MiniOrange SSO SAML SP Plugin for WordPress. The plugin supports IdP-initiated SAML out-of-the box. For SP-initiated SAML, the premium version is required.

Instruction

Configure PhenixID Authentication Services as Identity Provider

1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
2. Go to Scenarios->Federation-><YOUR_IDP>->Identity Provider
3. Add a Post SLO url: https://<your_phenixid_domain>/saml/authenticate/logout
4. Go to Scenarios->Federation-><YOUR_IDP>->Execution Flow
5. Make sure these attributes (they may be named differently based on your user store environment) are fetched from the user store:
   givenName
   sn
   mail

   (Also, if you plan to control the WordPress user role from the Identity Provider, fetch the appropriate data, such as group membership, to be able to configure appropriate role value).

6. If your attributes are named differently than above, add PropertyAddValve(s) to populate values according to the names above.Example:
   PropertyAddValve
   name=givenName
   value ={{item.firstName}}
7. Make the following adjustments to the execution flow.
   1. Click AssertionProvider
      1. Set NameID Attribute = mail
      2. Set additional attributes = mail,givenName,sn,roleExample:
   2. Save
8. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”.
9. Save.
10. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider
11. Click View SAML Metadata
12. Download the displayed SAML IdP metadata to a xml file.

Configure WordPress

1. Follow this guide. Use the following options:
   1. Step 1 – use the B option to download the SP metadata file. Name the file sp.xml.
   2. Step 2 Use the A option and upload the IdP metadata file downloaded in previous step.
      Set Identity Provider Name = Organization IdP. Change Organization to your organization name
   3. Step 3 – Attribute mapping. Use these values:
      Username = mail
      Email = mail
      First Name = givenName
      Last Name = sn
      Group/role  = role [OPTIONAL]
   4. Step 4 – Role mappning [OPTIONAL]
      Follow the instructions.
   5. Step 5 – SSO settings. Enable if possible (only if Premium). Follow the instructions.

Add WordPress as trusted Service Provider in PhenixID Authentication Services

1. Login to configuration manager
2. Scenarios->Federation
3. SAML Metadata upload
4. Upload the file sp.xml.

Add configuration for IdP-initiated SAML on PhenixID Authentication Services

1. Open sp.xml in a text editor
2. Copy the entityID value
3. Login to configuration manager
4. Scenarios->Federation->Your IdP
5. Execution Flow
6. Expand AssertionProvider
7. Add the copied entityID value to the Source ID field.
   
8. Save

Test

IdP-initiated

1. Browse to the IdP SSOService-location URL (found in the IdP metadata)
2. Authenticate
3. You should now be redirected to WordPress and be logged in (with the correct role if the IdP controls the role)

SP-initiated

(Only with the premium version of the Miniorange SSO plugin)

1. Browse to your WordPress URL
2. Select to login with the IdP
3. Authenticate
4. You should now be redirected to WordPress and be logged in (with the correct role if the IdP controls the role)